Network time protocol (NTP) is a time
synchronization protocol defined in RFC 1305. It is used for time
synchronization between a set of distributed time servers and clients. Carried
over UDP, NTP transmits packets through UDP port 123.
NTP is intended for time synchronization between
all devices that have clocks in a network so that the clocks of all devices can
keep consistent. Thus, the devices can provide multiple unified-time-based
applications (See section 1.1.1
).
A local system running NTP can not only be
synchronized by other clock sources, but also serve as a clock source to
synchronize other clocks. Besides, it can synchronize, or be synchronized by other
systems by exchanging NTP messages.
As setting the system time manually in a
network with many devices leads to a lot of workload and cannot ensure
accuracy, it is unfeasible for an administrator to perform the operation.
However, an administrator can synchronize the clocks of devices in a network
with required accuracy by performing NTP configuration.
NTP is mainly applied to synchronizing the
clocks of all devices in a network. For example:
l
In network management, the analysis of the log
information and debugging information collected from different devices is
meaningful and valid only when network devices that generate the information
adopts the same time.
l
The billing system requires that the clocks of
all network devices be consistent.
l
Some functions, such as restarting all network devices
in a network simultaneously require that they adopt the same time.
l
When multiple systems cooperate to handle a
rather complex transaction, they must adopt the same time to ensure a correct
execution order.
l
To perform incremental backup operations between
a backup server and a host, you must make sure they adopt the same time.
NTP has the following advantages:
l
Defining the accuracy of clocks by stratum to
synchronize the clocks of all devices in a network quickly
l
Supporting access control (See section1.4 ) and MD5 encrypted
authentication (See section 1.5
)
l
Sending protocol packets in unicast, multicast,
or broadcast mode
l
The clock stratum determines the accuracy, which
ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15. The clock
accuracy decreases as the stratum number increases. A stratum 16 clock is in the
unsynchronized state and cannot serve as a reference clock.
l
The local clock of an S3100 Ethernet switch cannot
be set as a reference clock. It can serve as a reference clock source to
synchronize the clock of other devices only after it is synchronized.
Figure 1-1 shows the implementation
principle of NTP.
Ethernet switch A (Device A) is connected
to Ethernet switch B (Device B) through Ethernet ports. Both having their own
system clocks, they need to synchronize the clocks of each other through NTP. To
help you to understand the implementation principle, we suppose that:
l
Before the system clocks of Device A and Device B
are synchronized, the clock of Device A is set to 10:00:00 am, and the clock of
Device B is set to 11:00:00 am.
l
Device B serves as the NTP server, that is, the
clock of Device A will be synchronized to that of Device B.
l
It takes one second to transfer an NTP message
from Device A to Device B or from Device B to Device A.
Figure 1-1 Implementation principle of NTP
The procedure of synchronizing the system
clock is as follows:
l
Device A sends an NTP message to Device B, with a
timestamp 10:00:00 am (T1) identifying when it is sent.
l
When the message arrives at Device B, Device B inserts
its own timestamp 11:00:01 am (T2) into the packet.
l
When the NTP message leaves Device B, Device B inserts
its own timestamp 11:00:02 am (T3) into the packet.
l
When receiving a response packet, the local time
of Device A is 10:00:03 am (T4).
At this time, Device A has enough information
to calculate the following two parameters:
l
Delay for an NTP message to make a round trip
between Device A and Device B:
Delay
= (T4 -T1)-(T3 -T2).
l
Time offset of Device A relative to Device B:
Offset
= ((T2 -T1) + (T3 -T4))/2.
Device A can then set its own clock
according to the above information to synchronize its clock to that of Device B.
For detailed information, refer to RFC 1305.
According to the network structure and the
position of the local Ethernet switch in the network, the local Ethernet switch
can work in multiple NTP modes to synchronize the clock.
I. Server/client mode
Figure 1-2 Server/client mode
II. Symmetric peer mode
Figure 1-3 Symmetric peer mode
In the symmetric peer mode, the local S3100
Ethernet switch serves as the symmetric-active peer and sends clock
synchronization request first, while the remote server serves as the symmetric-passive
peer automatically.
If both of the peers have reference clocks,
the one with a smaller stratum number is adopted.
III. Broadcast mode
Figure 1-4 Broadcast mode
IV. Multicast mode
Figure 1-5 Multicast mode
Table 1-1 describes how
the above mentioned NTP modes are implemented on H3C S3100 series Ethernet switches.
Table 1-1 NTP
implementation modes on H3C S3100 series Ethernet
switches
|
NTP implementation mode
|
Configuration on S3100 series switches
|
|
Server/client mode
|
Configure the local S3100 Ethernet switch
to work in the NTP client mode. In this mode, the remote server serves as the
local time server, while the local switch serves as the client.
|
|
Symmetric peer mode
|
Configure the local S3100 switch to work
in NTP symmetric peer mode. In this mode, the remote server serves as the symmetric-passive
peer of the S3100 switch, and the local switch serves as the symmetric-active
peer.
|
|
Broadcast mode
|
l Configure the local S3100 Ethernet switch to work in NTP broadcast
server mode. In this mode, the local switch broadcasts NTP messages through the
VLAN interface configured on the switch.
l Configure the S3100 switch to work in NTP broadcast client mode. In
this mode, the local S3100 switch receives broadcast NTP messages through the
VLAN interface configured on the switch.
|
|
Multicast mode
|
l Configure the local S3100 Ethernet switch to work in NTP multicast
server mode. In this mode, the local switch sends multicast NTP messages
through the VLAN interface configured on the switch.
l Configure the local S3100 Ethernet switch to work in NTP multicast
client mode. In this mode, the local switch receives multicast NTP messages
through the VLAN interface configured on the switch.
|
Caution:
l
When an H3C S3100 Ethernet switch works in
server mode or symmetric passive mode, you need not to perform related configurations
on this switch but do that on the client or the symmetric-active peer.
l
The NTP server mode, NTP broadcast mode, or NTP
multicast mode takes effect only after the local clock of the H3C S3100
Ethernet switch has been synchronized.
l
When symmetric peer mode is configured on two
Ethernet switches, to synchronize the clock of the two switches, make sure at
least one switch’s clock has been synchronized.
Table 1-2
NTP configuration tasks
An S3100 Ethernet switch can work in one of
the following NTP modes:
l
Configuring
NTP Server/Client Mode
l
Configuring
the NTP Symmetric Peer Mode
l
Configuring
NTP Broadcast Mode
l
Configuring
NTP Multicast Mode
To protect unused
sockets against attacks by malicious users and improve security, H3C S3100
series Ethernet switches provide the following functions:
l
UDP port 123 is opened only when the NTP feature
is enabled.
l
UDP port 123 is closed as the NTP feature is
disabled.
These functions are
implemented as follows:
l
Execution of one of the ntp-service unicast-server,
ntp-service unicast-peer, ntp-service broadcast-client, ntp-service
broadcast-server, ntp-service multicast-client, and ntp-service
multicast-server commands enables the NTP feature and opens UDP port 123 at
the same time.
l
Execution of the undo form of one of the
above six commands disables all implementation modes of the NTP feature and
closes UDP port 123 at the same time.
For switches working in the server/client
mode, you only need to perform configurations on the clients, and not on the
servers.
Table 1-3
Configure an NTP client
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure an NTP client
|
ntp-service unicast-server { remote-ip | server-name } [
authentication-keyid key-id | priority | source-interface
Vlan-interface vlan-id | version number ]*
|
Required
By default, the switch is not configured to
work in the NTP client mode.
|
l
The remote server specified by remote-ip
or server-name serves as the NTP server, and the local switch serves as
the NTP client. The clock of the NTP client will be synchronized by but will
not synchronize that of the NTP server.
l
remote-ip cannot be
a broadcast address, a multicast address or the IP address of the local clock.
l
After you specify an interface for sending NTP
messages through the source-interface keyword, the source IP address of
the NTP message will be configured as the primary IP address of the specified
interface.
l
A switch can act as a server to synchronize the
clock of other switches only after its clock has been synchronized. If the
clock of a server has a stratum level lower than or equal to that of a
client’s clock, the client will not synchronize its clock to the
server’s.
l
You can configure multiple servers by repeating
the ntp-service unicast-server command. The client will choose
the optimal reference source.
For switches working in the symmetric peer mode,
you need to specify a symmetric-passive peer on the symmetric-active peer.
Table 1-4
Configure a symmetric-active switch
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Specify a symmetric-passive peer for the switch
|
ntp-service unicast-peer { remote-ip | peer-name } [ authentication-keyid
key-id | priority | source-interface Vlan-interface
vlan-id | version number ]*
|
Required
By default, a switch is not configured to
work in the symmetric mode.
|
l
In the symmetric peer mode, you need to execute
the related NTP configuration commands (refer to section 1.3 for details) to
enable NTP on a symmetric-passive peer; otherwise, the symmetric-passive peer
will not process NTP messages from the symmetric-active peer.
l
The remote device specified by remote-ip or
peer-name serves as the peer of the local Ethernet switch, and the local
switch works in the symmetric-active mode. In this case, the clock of the local
switch and that of the remote device can be synchronized to each other.
l
remote-ip must not
be a broadcast address, a multicast address or the IP address of the local
clock.
l
After you specify an interface for sending NTP
messages through the source-interface keyword, the source IP address of
the NTP message will be configured as the IP address of the specified
interface.
l
Typically, the clock of at least one of the
symmetric-active and symmetric-passive peers should be synchronized first;
otherwise the clock synchronization will not proceed.
l
You can configure multiple symmetric-passive
peers for the local switch by repeating the ntp-service unicast-peer
command. The clock of the peer with the smallest stratum will be chosen to
synchronize with the local clock of the switch.
For switches working in the broadcast mode,
you need to configure both the server and clients. The broadcast server
periodically sends NTP broadcast messages to the broadcast address
255.255.255.255. The switches working in the NTP broadcast client mode will
respond to the NTP messages, so as to start the clock synchronization.
An H3C S3100 series Ethernet switch can work
as a broadcast server or a broadcast client.
l
Refer to Table 1-5 for configuring a switch to work
in the NTP broadcast server mode.
l
Refer to Table 1-6 for configuring a switch to work
in the NTP broadcast client mode.
A broadcast server
can synchronize broadcast clients only after its clock has been synchronized.
I. Configuring a switch to work in
the NTP broadcast server mode
Table 1-5 Configure a switch to work in the
NTP broadcast server mode
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface
vlan-id
|
—
|
|
Configure the switch to work in the NTP
broadcast server mode
|
ntp-service broadcast-server [ authentication-keyid key-id
| version number ]*
|
Required
Not configured by default.
|
II. Configuring a switch to work
in the NTP broadcast client mode
Table 1-6 Configure a switch to work in
the NTP broadcast client mode
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface
vlan-id
|
—
|
|
Configure the switch to work in the NTP
broadcast client mode
|
ntp-service broadcast-client
|
Required
Not configured by default.
|
For switches working in the multicast mode,
you need to configure both the server and clients. The multicast server
periodically sends NTP multicast messages to multicast clients. The switches
working in the NTP multicast client mode will respond to the NTP messages, so
as to start the clock synchronization.
An H3C S3100 series Ethernet switch can work
as a multicast server or a multicast client.
l
Refer to Table 1-7 for configuring a switch to work
in the NTP multicast server mode.
l
Refer to Table 1-8 for configuring a switch to work
in the NTP multicast client mode.
l
A multicast server can synchronize multicast
clients only after its clock has been synchronized.
l
An S3100 series switch working in the multicast
server mode supports up to 1,024 multicast clients.
I. Configuring a switch to work in
the multicast server mode
Table 1-7 Configure a switch to work in the
NTP multicast server mode
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface
vlan-id
|
—
|
|
Configure the switch to work in the NTP
multicast server mode
|
ntp-service multicast-server [ ip-address ] [ authentication-keyid
keyid | ttl ttl-number | version number ]*
|
Required
Not configured by default.
|
II. Configuring a switch to work
in the multicast client mode
Table 1-8 Configure a switch to work in the
NTP multicast client mode
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface Vlan-interface
vlan-id
|
—
|
|
Configure the switch to work in the NTP multicast client mode
|
ntp-service multicast-client [ ip-address ]
|
Required
Not configured by default.
|
With the following command, you can
configure the NTP service access-control right to the local switch for a peer
device. There are four access-control rights, as follows:
l
query: Control query
right. This level of right permits the peer device to perform control query to
the NTP service on the local device but does not permit the peer device to
synchronize its clock to the local device. The so-called “control
query” refers to query of state of the NTP service, including alarm
information, authentication status, clock source information, and so on.
l
synchronization: Synchronization
right. This level of right permits the peer device to synchronize its clock to
the local switch but does not permit the peer device to perform control query.
l
server: Server right.
This level of right permits the peer device to perform synchronization and
control query to the local switch but does not permit the local switch to
synchronize its clock to the peer device.
l
peer: Peer
access. This level of right permits the peer device to perform synchronization
and control query to the local switch and also permits the local switch to
synchronize its clock to the peer device.
From the highest NTP service access-control
right to the lowest one are peer, server, synchronization,
and query. When a device receives an NTP request, it will perform an
access-control right match in this order and use the first matched right.
Prior to configuring the NTP service
access-control right to the local switch for peer devices, you need to create
and configure an ACL associated with the access-control right. For the
configuration of ACL, refer to ACL Configuration in Security Volume.
Table 1-9
Configure the NTP service access-control right to
the local device for peer devices
|
Operation
|
Command…
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure the NTP service access-control
right to the local switch for peer devices
|
ntp-service access { peer | server | synchronization | query
} acl-number
|
Optional
peer by
default
|
In networks with higher security
requirements, the NTP authentication function must be enabled to run NTP. Through
password authentication on the client and the server, the clock of the client
is synchronized only to that of the server that passes the authentication. This
improves network security. Table
1-10 shows the roles of devices in the NTP
authentication function.
Table 1-10 Description on the roles of devices in NTP authentication function
|
Role of device
|
Working mode
|
|
Client
|
Client in the server/client mode
|
|
Client in the broadcast mode
|
|
Client in the multicast mode
|
|
Symmetric-active peer in the symmetric
peer mode
|
|
Server
|
Server in the server/client mode
|
|
Server in the broadcast mode
|
|
Server in the multicast mode
|
|
Symmetric-passive peer in the symmetric
peer mode
|
NTP authentication configuration involves:
l
Configuring NTP authentication on the client
l
Configuring NTP authentication on the server
Observe the following principles when configuring
NTP authentication:
l
If the NTP authentication function is not
enabled on the client, the clock of the client can be synchronized to a server no
matter whether the NTP authentication function is enabled on the server (assuming
that other related configurations are properly performed).
l
For the NTP authentication function to take
effect, a trusted key needs to be configured on both the client and server
after the NTP authentication is enabled on them.
l
The local clock of the client is only
synchronized to the server that provides a trusted key.
l
In addition, for the server/client mode and the
symmetric peer mode, you need to associate a specific key on the client (the
symmetric-active peer in the symmetric peer mode) with the corresponding NTP
server (the symmetric-passive peer in the symmetric peer mode); for the NTP
broadcast/multicast mode, you need to associate a specific key on the broadcast/multicast
server with the corresponding NTP broadcast/multicast client. Otherwise, NTP
authentication cannot be enabled normally.
l
Configurations on the server and the client must
be consistent.
1.5.2 Configuration Procedure
I. Configuring NTP authentication
on the client
Table 1-11 Configure NTP authentication
on the client
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable the NTP authentication function
|
ntp-service authentication enable
|
Required
Disabled by default.
|
|
Configure the NTP authentication key
|
ntp-service authentication-keyid key-id authentication-model md5 value
|
Required
By default, no NTP authentication key is
configured.
|
|
Configure the specified key as a trusted key
|
ntp-service reliable
authentication-keyid key-id
|
Required
By default, no trusted key is configured.
|
|
Associate the specified key with the
corresponding NTP server
|
Configure on the client in the
server/client mode
|
ntp-service unicast-server { remote-ip | server-name } authentication-keyid
key-id
|
Required
For the client in the NTP
broadcast/multicast mode, you just need to associate the specified key with
the client on the corresponding server.
|
|
Configure on the symmetric-active peer in
the symmetric peer mode
|
ntp-service unicast-peer { remote-ip | peer-name } authentication-keyid
key-id
|
NTP authentication requires
that the authentication keys configured for the server and the client be the
same. Besides, the authentication keys must be trusted keys. Otherwise, the clock
of the client cannot be synchronized with that of the server.
II. Configuring NTP authentication
on the server
Table 1-12 Configure NTP authentication
on the server
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable NTP authentication
|
ntp-service authentication enable
|
Required
Disabled by default.
|
|
Configure an NTP authentication key
|
ntp-service authentication-keyid key-id authentication-mode md5 value
|
Required
By default, no NTP authentication key is
configured.
|
|
Configure the specified key as a trusted key
|
ntp-service reliable
authentication-keyid key-id
|
Required
By default, no trusted authentication key
is configured.
|
